From 4c0f66da907f8e0c4130de0592edf90dfba8efad Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Tue, 30 Jun 2026 09:59:40 +0000 Subject: [PATCH] Version Packages --- .changeset/native-binary-guards.md | 9 ----- .../stack-protect-ffi-0-26-oidc-strategy.md | 32 ------------------ examples/basic/CHANGELOG.md | 7 ++++ examples/basic/package.json | 2 +- examples/prisma/CHANGELOG.md | 8 +++++ examples/prisma/package.json | 2 +- packages/bench/CHANGELOG.md | 7 ++++ packages/bench/package.json | 2 +- packages/cli/CHANGELOG.md | 14 ++++++++ packages/cli/package.json | 2 +- packages/prisma-next/CHANGELOG.md | 7 ++++ packages/prisma-next/package.json | 2 +- packages/stack/CHANGELOG.md | 33 +++++++++++++++++++ packages/stack/package.json | 2 +- 14 files changed, 82 insertions(+), 47 deletions(-) delete mode 100644 .changeset/native-binary-guards.md delete mode 100644 .changeset/stack-protect-ffi-0-26-oidc-strategy.md diff --git a/.changeset/native-binary-guards.md b/.changeset/native-binary-guards.md deleted file mode 100644 index cd321d04..00000000 --- a/.changeset/native-binary-guards.md +++ /dev/null @@ -1,9 +0,0 @@ ---- -"stash": minor ---- - -Add guards for missing native binaries. When npm skips the platform-specific -optional dependency (a known npm bug), stash now prints actionable fix -guidance instead of a raw `MODULE_NOT_FOUND` stack trace. Adds a new -`stash doctor` command that diagnoses the runtime and native modules and works -even when a binary is missing. diff --git a/.changeset/stack-protect-ffi-0-26-oidc-strategy.md b/.changeset/stack-protect-ffi-0-26-oidc-strategy.md deleted file mode 100644 index 0b86f49b..00000000 --- a/.changeset/stack-protect-ffi-0-26-oidc-strategy.md +++ /dev/null @@ -1,32 +0,0 @@ ---- -"@cipherstash/stack": minor ---- - -Bump `@cipherstash/protect-ffi` to `0.26.0` and `@cipherstash/auth` to `0.40.0`, and replace the lock-context token ceremony with a strategy-based approach for identity-bound encryption. - -**protect-ffi `0.26.0`** supersedes `0.25.0`. The public API is unchanged from `0.25` (internal fixes only). As in `0.25`, `serviceToken` is gone from the encrypt / decrypt / query option types; auth flows through the client's strategy / credentials, and lock contexts travel as `lockContext.identityClaim`. The WASM-inline path takes a single options object with the auth strategy nested under `strategy`, and `Encryption()` config uses **`workspaceCrn`** (`CS_WORKSPACE_CRN`) as the single source of truth — `CS_REGION` is no longer consulted. On that path `workspaceCrn` is required only alongside an `accessKey` (it derives the region); with a pre-built `strategy` it is **optional**, since the strategy already carries the CRN. - -**Strategy-based, identity-bound encryption.** `OidcFederationStrategy` federates an end user's third-party OIDC JWT (Clerk, Supabase, Auth0, …) into a CTS service token. As of `@cipherstash/auth` `0.40` it takes a `workspaceCrn` (region derived from the CRN), matching `AccessKeyStrategy`. Pass it as `config.strategy` so every ZeroKMS request authenticates *as that user*, then bind the data key to a claim with `.withLockContext({ identityClaim })`: - -```ts -import { Encryption, OidcFederationStrategy } from "@cipherstash/stack" - -const client = await Encryption({ - schemas: [users], - config: { - strategy: OidcFederationStrategy.create(workspaceCrn, () => getUserJwt()), - }, -}) - -await client - .encrypt("alice@example.com", { column: users.email, table: users }) - .withLockContext({ identityClaim: ["sub"] }) -``` - -This replaces the old ceremony (`new LockContext()` → `await lc.identify(jwt)` → `.withLockContext(lc)`), which relied on a per-operation CTS token that protect-ffi removed in `0.25`. - -- **`.withLockContext()`** now accepts a plain `{ identityClaim }` object (as well as a `LockContext`) and no longer requires a CTS token or an `identify()` call — it carries the identity claim only. -- **`LockContext.identify()` / `getLockContext()`** are **deprecated** (kept for backwards compatibility); the strategy handles token acquisition. -- **Strategies are re-exported** from `@cipherstash/stack` (`OidcFederationStrategy`, `AccessKeyStrategy`, `AutoStrategy`, `DeviceSessionStrategy`) and from `@cipherstash/stack/wasm-inline` (`OidcFederationStrategy`, `AccessKeyStrategy`) so integrators don't need a separate `@cipherstash/auth` install. `AuthStrategy` remains re-exported for the structural type. - -Existing credential / env behaviour is preserved when `config.strategy` is omitted. diff --git a/examples/basic/CHANGELOG.md b/examples/basic/CHANGELOG.md index 90729ab3..4a123c4f 100644 --- a/examples/basic/CHANGELOG.md +++ b/examples/basic/CHANGELOG.md @@ -1,5 +1,12 @@ # @cipherstash/basic-example +## 1.2.13 + +### Patch Changes + +- Updated dependencies [35b9ed6] + - @cipherstash/stack@0.19.0 + ## 1.2.12 ### Patch Changes diff --git a/examples/basic/package.json b/examples/basic/package.json index cb7d329d..87c6c8fd 100644 --- a/examples/basic/package.json +++ b/examples/basic/package.json @@ -1,7 +1,7 @@ { "name": "@cipherstash/basic-example", "private": true, - "version": "1.2.12", + "version": "1.2.13", "type": "module", "scripts": { "start": "tsx index.ts" diff --git a/examples/prisma/CHANGELOG.md b/examples/prisma/CHANGELOG.md index c1ce61e9..1654da16 100644 --- a/examples/prisma/CHANGELOG.md +++ b/examples/prisma/CHANGELOG.md @@ -1,5 +1,13 @@ # @cipherstash/prisma-next-example +## 0.0.5 + +### Patch Changes + +- Updated dependencies [35b9ed6] + - @cipherstash/stack@0.19.0 + - @cipherstash/prisma-next@0.3.2 + ## 0.0.4 ### Patch Changes diff --git a/examples/prisma/package.json b/examples/prisma/package.json index dc8d3e84..9560b85b 100644 --- a/examples/prisma/package.json +++ b/examples/prisma/package.json @@ -1,7 +1,7 @@ { "name": "@cipherstash/prisma-next-example", "private": true, - "version": "0.0.4", + "version": "0.0.5", "description": "End-to-end example of @cipherstash/prisma-next: searchable application-layer encryption for Postgres with Prisma Next, using @cipherstash/stack as the SDK.", "type": "module", "scripts": { diff --git a/packages/bench/CHANGELOG.md b/packages/bench/CHANGELOG.md index ec91d36b..bfa6b4df 100644 --- a/packages/bench/CHANGELOG.md +++ b/packages/bench/CHANGELOG.md @@ -1,5 +1,12 @@ # @cipherstash/bench +## 0.0.4 + +### Patch Changes + +- Updated dependencies [35b9ed6] + - @cipherstash/stack@0.19.0 + ## 0.0.3 ### Patch Changes diff --git a/packages/bench/package.json b/packages/bench/package.json index 16636149..40dcc4a7 100644 --- a/packages/bench/package.json +++ b/packages/bench/package.json @@ -1,6 +1,6 @@ { "name": "@cipherstash/bench", - "version": "0.0.3", + "version": "0.0.4", "private": true, "description": "Performance / index-engagement benchmarks for stack integrations (Drizzle, encryptedSupabase, Prisma).", "type": "module", diff --git a/packages/cli/CHANGELOG.md b/packages/cli/CHANGELOG.md index c61a4f1e..3b9421dd 100644 --- a/packages/cli/CHANGELOG.md +++ b/packages/cli/CHANGELOG.md @@ -1,5 +1,19 @@ # @cipherstash/cli +## 0.17.0 + +### Minor Changes + +- eb94ac8: Add guards for missing native binaries. When npm skips the platform-specific + optional dependency (a known npm bug), stash now prints actionable fix + guidance instead of a raw `MODULE_NOT_FOUND` stack trace. Adds a new + `stash doctor` command that diagnoses the runtime and native modules and works + even when a binary is missing. + +### Patch Changes + +- @cipherstash/migrate@0.2.0 + ## 0.16.0 ### Minor Changes diff --git a/packages/cli/package.json b/packages/cli/package.json index 3246b838..d0571f74 100644 --- a/packages/cli/package.json +++ b/packages/cli/package.json @@ -1,6 +1,6 @@ { "name": "stash", - "version": "0.16.0", + "version": "0.17.0", "description": "CipherStash CLI — the one stash command for auth, init, encryption schema, database setup, and secrets.", "repository": { "type": "git", diff --git a/packages/prisma-next/CHANGELOG.md b/packages/prisma-next/CHANGELOG.md index 0625ee41..9b040e20 100644 --- a/packages/prisma-next/CHANGELOG.md +++ b/packages/prisma-next/CHANGELOG.md @@ -1,5 +1,12 @@ # @cipherstash/prisma-next +## 0.3.2 + +### Patch Changes + +- Updated dependencies [35b9ed6] + - @cipherstash/stack@0.19.0 + ## 0.3.1 ### Patch Changes diff --git a/packages/prisma-next/package.json b/packages/prisma-next/package.json index c0db088f..fb7f55a1 100644 --- a/packages/prisma-next/package.json +++ b/packages/prisma-next/package.json @@ -1,6 +1,6 @@ { "name": "@cipherstash/prisma-next", - "version": "0.3.1", + "version": "0.3.2", "license": "MIT", "author": "CipherStash ", "description": "CipherStash extension for Prisma Next: searchable application-layer field-level encryption for Postgres, with six encrypted column types, 17 query operators, bulk encrypt/decrypt middleware, and a baseline migration that installs the vendored EQL bundle SQL byte-for-byte.", diff --git a/packages/stack/CHANGELOG.md b/packages/stack/CHANGELOG.md index ff6208f9..2963eb3b 100644 --- a/packages/stack/CHANGELOG.md +++ b/packages/stack/CHANGELOG.md @@ -1,5 +1,38 @@ # @cipherstash/stack +## 0.19.0 + +### Minor Changes + +- 35b9ed6: Bump `@cipherstash/protect-ffi` to `0.26.0` and `@cipherstash/auth` to `0.40.0`, and replace the lock-context token ceremony with a strategy-based approach for identity-bound encryption. + + **protect-ffi `0.26.0`** supersedes `0.25.0`. The public API is unchanged from `0.25` (internal fixes only). As in `0.25`, `serviceToken` is gone from the encrypt / decrypt / query option types; auth flows through the client's strategy / credentials, and lock contexts travel as `lockContext.identityClaim`. The WASM-inline path takes a single options object with the auth strategy nested under `strategy`, and `Encryption()` config uses **`workspaceCrn`** (`CS_WORKSPACE_CRN`) as the single source of truth — `CS_REGION` is no longer consulted. On that path `workspaceCrn` is required only alongside an `accessKey` (it derives the region); with a pre-built `strategy` it is **optional**, since the strategy already carries the CRN. + + **Strategy-based, identity-bound encryption.** `OidcFederationStrategy` federates an end user's third-party OIDC JWT (Clerk, Supabase, Auth0, …) into a CTS service token. As of `@cipherstash/auth` `0.40` it takes a `workspaceCrn` (region derived from the CRN), matching `AccessKeyStrategy`. Pass it as `config.strategy` so every ZeroKMS request authenticates _as that user_, then bind the data key to a claim with `.withLockContext({ identityClaim })`: + + ```ts + import { Encryption, OidcFederationStrategy } from "@cipherstash/stack"; + + const client = await Encryption({ + schemas: [users], + config: { + strategy: OidcFederationStrategy.create(workspaceCrn, () => getUserJwt()), + }, + }); + + await client + .encrypt("alice@example.com", { column: users.email, table: users }) + .withLockContext({ identityClaim: ["sub"] }); + ``` + + This replaces the old ceremony (`new LockContext()` → `await lc.identify(jwt)` → `.withLockContext(lc)`), which relied on a per-operation CTS token that protect-ffi removed in `0.25`. + + - **`.withLockContext()`** now accepts a plain `{ identityClaim }` object (as well as a `LockContext`) and no longer requires a CTS token or an `identify()` call — it carries the identity claim only. + - **`LockContext.identify()` / `getLockContext()`** are **deprecated** (kept for backwards compatibility); the strategy handles token acquisition. + - **Strategies are re-exported** from `@cipherstash/stack` (`OidcFederationStrategy`, `AccessKeyStrategy`, `AutoStrategy`, `DeviceSessionStrategy`) and from `@cipherstash/stack/wasm-inline` (`OidcFederationStrategy`, `AccessKeyStrategy`) so integrators don't need a separate `@cipherstash/auth` install. `AuthStrategy` remains re-exported for the structural type. + + Existing credential / env behaviour is preserved when `config.strategy` is omitted. + ## 0.18.0 ### Minor Changes diff --git a/packages/stack/package.json b/packages/stack/package.json index 60c00c1c..b7da465f 100644 --- a/packages/stack/package.json +++ b/packages/stack/package.json @@ -1,6 +1,6 @@ { "name": "@cipherstash/stack", - "version": "0.18.0", + "version": "0.19.0", "description": "CipherStash Stack for TypeScript and JavaScript", "keywords": [ "encrypted",